import { Construct, PolicyDocument, PolicyStatement } from '@aws-cdk/cdk';
import { EncryptionKeyAlias } from './alias';
import { KeyArn } from './kms.generated';
export interface EncryptionKeyRefProps {
    /**
     * The ARN of the external KMS key.
     */
    keyArn: KeyArn;
}
export declare abstract class EncryptionKeyRef extends Construct {
    /**
     * Defines an imported encryption key.
     *
     * `ref` can be obtained either via a call to `key.export()` or using
     * literals.
     *
     * For example:
     *
     *     const keyRefProps = key.export();
     *     const keyRef1 = EncryptionKeyRef.import(this, 'MyImportedKey1', keyRefProps);
     *     const keyRef2 = EncryptionKeyRef.import(this, 'MyImportedKey2', {
     *         keyArn: new KeyArn('arn:aws:kms:...')
     *     });
     *
     * @param parent The parent construct.
     * @param name The name of the construct.
     * @param props The key reference.
     */
    static import(parent: Construct, name: string, props: EncryptionKeyRefProps): EncryptionKeyRef;
    /**
     * The ARN of the key.
     */
    abstract readonly keyArn: KeyArn;
    /**
     * Optional policy document that represents the resource policy of this key.
     *
     * If specified, addToResourcePolicy can be used to edit this policy.
     * Otherwise this method will no-op.
     */
    protected abstract readonly policy?: PolicyDocument;
    /**
     * Defines a new alias for the key.
     */
    addAlias(alias: string): EncryptionKeyAlias;
    /**
     * Adds a statement to the KMS key resource policy.
     * @param statement The policy statement to add
     * @param allowNoOp If this is set to `false` and there is no policy
     * defined (i.e. external key), the operation will fail. Otherwise, it will
     * no-op.
     */
    addToResourcePolicy(statement: PolicyStatement, allowNoOp?: boolean): void;
    /**
     * Exports this key from the current stack.
     * @returns a key ref which can be used in a call to `EncryptionKey.import(ref)`.
     */
    export(): EncryptionKeyRefProps;
}
/**
 * Construction properties for a KMS Key object
 */
export interface EncryptionKeyProps {
    /**
     * A description of the key. Use a description that helps your users decide
     * whether the key is appropriate for a particular task.
     */
    description?: string;
    /**
     * Indicates whether AWS KMS rotates the key.
     * @default false
     */
    enableKeyRotation?: boolean;
    /**
     * Indicates whether the key is available for use.
     * @default Key is enabled
     */
    enabled?: boolean;
    /**
     * Custom policy document to attach to the KMS key.
     *
     * @default A policy document with permissions for the account root to
     * administer the key will be created.
     */
    policy?: PolicyDocument;
}
/**
 * Definews a KMS key.
 */
export declare class EncryptionKey extends EncryptionKeyRef {
    readonly keyArn: KeyArn;
    protected readonly policy?: PolicyDocument;
    constructor(parent: Construct, name: string, props?: EncryptionKeyProps);
    /**
     * Let users from this account admin this key.
     * @link https://aws.amazon.com/premiumsupport/knowledge-center/update-key-policy-future/
     */
    private allowAccountToAdmin;
}